Tomcat 5.5 + Poodle SSLv3 vulnerability - How to disable SSLv3?

I've been searching around, trying to figure out how to disable SSLv3 in Tomcat5.5, but can only seem to find info about this with relation to Tomcat 6 or 7, and the process is different for each.

My understanding for Tomcat 6 is the following:

sslProtocol="TLSv1.1" protocols="TLSv1.1"

This should force Tomcat 6 to use TLSv1.1 only.
Does anyone know if the same method for Tomcat 6 works in Tomcat 5.5, or if it's different?

(I should specify that we can use any version of TLS that Tomcat 5.5 supports)
This is related to PCI compliance.

We are still on Java 1.5 for these servers, btw. This might determine which versions of TLS we can use.

I can't say for certain. But Tomcat is using the Java security infrastructure, which is based on plugin encryption modules. And I'm fairly sure that the master settings for that are in the JVM files themselves.

You may have other security issues besides TLS, however, if you're running the servers under Java 1.5. There have been enough lately even on Java 7. Which, at least gets support from Oracle.

Java 1.5 has passed End Of Life, as has Tomcat 5.5.

At a minimum, consider running Tomcat 5.5 using a Java 1.7 JVM.

For a PCI compliant shop I would agree that you should schedule Java 7 and Tomcat 7 upgrades as soon as possible. Anything that's exploitable today will likely be tested in next year's PCI check.

While there's nothing wrong with having Tomcat handle SSL, my gut feeling for a site handling payments would nonetheless be to front Tomcat with an Apache that terminates SSL (and optionally also handles a loadbalancing/failover configuration for the Tomcat(s) ).

Ulf Dittmer wrote:
While there's nothing wrong with having Tomcat handle SSL...

There is however, something wrong with having Tomcat handle SSL on port 443.

In order for Tomcat to handle ports 80 and 443, it has to be running with root privileges and that's a major security exposure. Tomcat should not be run as root.

That's one of the really big reasons why Tomcat is often proxied by Apache. Apache can handle that problem.

There is a special parent server option that would allow Tomcat to safely listen on ports 80 and 443, but it's not available until at least Tomcat 6, and maybe not until Tomcat 7.

Even then, I prefer an Apache proxy. As Ulf noted, it can help load-balance a Tomcat cluster and it allows mixing J2EE and non-Java webapps under a single server.

I appreciate the concerns about security.
I share those concerns and have been making sure my boss and the development team are aware of these issues.
Unfortunately for me, it's entirely up to the development team to switch to newer versions.

Is there no CTO who evaluates the costs of upgrading against the risks of not doing so? In a PCI environment (which I'm very familiar with) that sounds like a dangerous setup. Decisions about security tradeoffs should not be made by the development team, especially not when it comes to PCI, where non-compliance can mean going out of business.

Well, I tested out the setting in the original post and it appears to break our payment system.
Unfortunately, our developers don't seem to understand the underlying encryption settings any better than I do.
I'm just a SysAdmin. I never wanted to be a programmer....

*sigh*